Privacy policy grounded in accountability.

This Privacy Policy explains how XMS QUEST SRL ("Company", "we", "us", or "our") collects, uses, stores, and protects personal data when you access or use DCA, a software-as-a-service platform available at https://dca.xms.quest (the "Service").

This Privacy Policy forms an integral part of our Terms of Service and applies to all users in the European Union, United States, and other jurisdictions, subject to applicable law.

Last updated: October 24, 2023

Data Controller

Company: XMS QUEST SRL
Registered address: Str. Occidentului 71, Bl. 1, Sc. A, Ap. 25, Cod 077160, Romania
Email (privacy matters): bogdan@xms.quest

Scope of This Privacy Policy

The DCA web application
Related services, communications, and support interactions
Users accessing the Service from the EU, US, and other regions

The Service is intended for a general audience.

Minors may use the Service only under the supervision of a parent or legal guardian. We do not knowingly collect personal data from children without such supervision.

Categories of Personal Data We Collect

3.1 Identification and Account Data

Name
Email address
Hashed password

Purpose: Account creation, authentication, service delivery.

3.2 Financial and Billing Data

Payment-related data required to process subscriptions

Important: We do not store payment card details. Payments are processed securely by Stripe.

3.3 Usage and Technical Data

Payment status events
System and security logs
Device and browser metadata (to the extent required for security)

3.4 Communications

Emails and support messages you send to us

Purposes and Legal Bases for Processing (EU & US)

We process personal data only where legally permitted.

EU (GDPR – Article 6)

PurposeLegal Basis

Purpose

Account creation & service delivery

Legal Basis

Performance of a contract

Purpose

Billing & subscriptions

Legal Basis

Performance of a contract

Purpose

Security & fraud prevention

Legal Basis

Legitimate interest

Purpose

Legal & tax compliance

Legal Basis

Legal obligation

Purpose

Non-essential communications

Legal Basis

Consent (where required)

US Legal Basis

For US users, we process personal data based on:

Contractual necessity
Legitimate business purposes
Compliance with legal obligations

Cookies and Tracking Technologies

We use essential cookies only, strictly necessary for:

Authentication
Session management
Security and fraud prevention

We do not use:

Marketing cookies
Behavioral advertising cookies
Analytics cookies (at present)

If this changes, we will update this policy and obtain consent where required.

Third-Party Processors and Service Providers

We share personal data only with trusted third-party providers acting as data processors, including:

ProviderPurpose / Location

Provider

Stripe

Purpose / Location

Payments (EU / US)

Provider

Amazon SES

Purpose / Location

Transactional emails (EU)

Provider

SnapTrade

Purpose / Location

Broker integrations (Canada)

Provider

AlphaVantage

Purpose / Location

Financial data (USA)

Provider

Contabo

Purpose / Location

Cloud hosting (EU)

Provider

MongoDB

Purpose / Location

Database infrastructure (USA)

All processors are contractually required to:

Process data only on our instructions
Apply appropriate security measures
Comply with applicable data protection laws

International Data Transfers

Where personal data is transferred outside the European Union, we rely on:

Standard Contractual Clauses (SCCs), or
Other lawful transfer mechanisms recognized under GDPR

Data Retention

We retain personal data only as long as necessary:

Data CategoryRetention

Data Category

Account data

Retention

Until account deletion

Data Category

Logs & security data

Retention

30–90 days

Data Category

Billing records

Retention

As required by law

Data Category

Broker-related data

Retention

Until user deletion

Data Category

Portfolio data

Retention

Updated at each login

Your Rights

EU Users (GDPR)

You have the right to:

Access
Rectification
Erasure
Restriction
Portability
Objection
Withdraw consent

US Users (CCPA/CPRA-aligned)

Where applicable, you may have the right to:

Know what personal data we collect
Request deletion
Request correction
Opt out of certain data sharing (if applicable)

We do not sell personal data.

Exercising Your Rights

Email: bogdan@xms.quest

Response time: within 30 days

Automated Processing and Profiling

The Service displays financial indicators (e.g., P/E, P/B, ROA, ROE, dividend estimates) using predefined thresholds and visual indicators. These:

Are informational only
Do not produce legal or similarly significant effects
Do not constitute financial, investment, or trading advice

No automated decision-making under GDPR Article 22 is performed.

Security Measures

We implement technical and organizational safeguards appropriate to the risk, including:

Password hashing and encryption
Role-based access controls
Restricted production access
Logging and monitoring
Incident detection and response procedures

Personal Data Breaches

In the event of a personal data breach:

We will assess the incident promptly
Notify the relevant supervisory authority within 72 hours where required
Notify affected users where there is a high risk to rights and freedoms

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be communicated via email and reflected by an updated "Last updated" date. Continued use of the Service constitutes acceptance of the updated policy.

Complaints and Supervisory Authorities

EU

You may lodge a complaint with your local data protection authority.

Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

US

You may contact us directly regarding privacy concerns. We will respond in accordance with applicable US law.

Contact

For privacy-related questions or requests:

bogdan@xms.quest

Contact Privacy Team

Scope of This Privacy Policy

The DCA web application
Related services, communications, and support interactions
Users accessing the Service from the EU, US, and other regions

The Service is intended for a general audience.

Minors may use the Service only under the supervision of a parent or legal guardian. We do not knowingly collect personal data from children without such supervision.

Categories of Personal Data We Collect

3.1 Identification and Account Data

Name
Email address
Hashed password

Purpose: Account creation, authentication, service delivery.

3.2 Financial and Billing Data

Payment-related data required to process subscriptions

Important: We do not store payment card details. Payments are processed securely by Stripe.

3.3 Usage and Technical Data

Payment status events
System and security logs
Device and browser metadata (to the extent required for security)

3.4 Communications

Emails and support messages you send to us

Purposes and Legal Bases for Processing (EU & US)

We process personal data only where legally permitted.

EU (GDPR – Article 6)

PurposeLegal Basis

Purpose

Account creation & service delivery

Legal Basis

Performance of a contract

Purpose

Billing & subscriptions

Legal Basis

Performance of a contract

Purpose

Security & fraud prevention

Legal Basis

Legitimate interest

Purpose

Legal & tax compliance

Legal Basis

Legal obligation

Purpose

Non-essential communications

Legal Basis

Consent (where required)

US Legal Basis

For US users, we process personal data based on:

Contractual necessity
Legitimate business purposes
Compliance with legal obligations

Third-Party Processors and Service Providers

We share personal data only with trusted third-party providers acting as data processors, including:

ProviderPurpose / Location

Provider

Stripe

Purpose / Location

Payments (EU / US)

Provider

Amazon SES

Purpose / Location

Transactional emails (EU)

Provider

SnapTrade

Purpose / Location

Broker integrations (Canada)

Provider

AlphaVantage

Purpose / Location

Financial data (USA)

Provider

Contabo

Purpose / Location

Cloud hosting (EU)

Provider

MongoDB

Purpose / Location

Database infrastructure (USA)

All processors are contractually required to:

Process data only on our instructions
Apply appropriate security measures
Comply with applicable data protection laws

Data Retention

We retain personal data only as long as necessary:

Data CategoryRetention

Data Category

Account data

Retention

Until account deletion

Data Category

Logs & security data

Retention

30–90 days

Data Category

Billing records

Retention

As required by law

Data Category

Broker-related data

Retention

Until user deletion

Data Category

Portfolio data

Retention

Updated at each login

Your Rights

EU Users (GDPR)

You have the right to:

Access
Rectification
Erasure
Restriction
Portability
Objection
Withdraw consent

US Users (CCPA/CPRA-aligned)

Where applicable, you may have the right to:

Know what personal data we collect
Request deletion
Request correction
Opt out of certain data sharing (if applicable)

We do not sell personal data.

Exercising Your Rights

Email: bogdan@xms.quest

Response time: within 30 days

Automated Processing and Profiling

The Service displays financial indicators (e.g., P/E, P/B, ROA, ROE, dividend estimates) using predefined thresholds and visual indicators. These:

Are informational only
Do not produce legal or similarly significant effects
Do not constitute financial, investment, or trading advice

No automated decision-making under GDPR Article 22 is performed.

Privacy policy grounded in .css-1epp86z{color:var(--primary);}accountability.

Data Controller

Scope of This Privacy Policy

Categories of Personal Data We Collect

3.1 Identification and Account Data

3.2 Financial and Billing Data

3.3 Usage and Technical Data

3.4 Communications

Purposes and Legal Bases for Processing (EU & US)

EU (GDPR – Article 6)

US Legal Basis

Cookies and Tracking Technologies

Third-Party Processors and Service Providers

International Data Transfers

Data Retention

Your Rights

EU Users (GDPR)

US Users (CCPA/CPRA-aligned)

Exercising Your Rights

Automated Processing and Profiling

Security Measures

Personal Data Breaches

Changes to This Privacy Policy

Complaints and Supervisory Authorities

EU

US

Contact

Privacy policy grounded in .css-1epp86z{color:var(--primary);}accountability.

Data Controller

Scope of This Privacy Policy

Categories of Personal Data We Collect

3.1 Identification and Account Data

3.2 Financial and Billing Data

3.3 Usage and Technical Data

3.4 Communications

Purposes and Legal Bases for Processing (EU & US)

EU (GDPR – Article 6)

US Legal Basis

Cookies and Tracking Technologies

Third-Party Processors and Service Providers

International Data Transfers

Data Retention

Your Rights

EU Users (GDPR)

US Users (CCPA/CPRA-aligned)

Exercising Your Rights

Automated Processing and Profiling

Security Measures

Personal Data Breaches

Changes to This Privacy Policy

Complaints and Supervisory Authorities

EU

US

Contact

Privacy policy grounded in accountability.

Privacy policy grounded in accountability.